Explaining Organizational and Physical Security Concepts

# Explain Organizational Documentation and Policies ## Operating Plans and Procedures - configuration management -> method/process to make sure new and existing machines have the same/correct configuration for optimal security, efficiency, and network connectivity - Assets and configuration items - asset management - Baselines - Change management -> tracking changes on the network (opening/closing ports for example) - reactive vs proactive - Change request and approval - SOPs -> following any type of procedure, like access controls, policies ## System Life Cycle Plans and Procedures - Audit report - identify and record assets - Assessment report - evaluate configuration/performance - compare to baselines - System life cycle - acquisition, deployment, use, and decommissioning ## Physical Network Diagrams - floor plan - detailed scale diagram - Wiring diagram - illustrate and document cable termination - Distribution frame - port IDs - Main vs intermediate distribution frames (MDF vs IDF) - Site survey report ## Rack Diagrams - rack format - standard 19" width - 1.75" U multiples in height - Stencils - Position of appliances - label networks and power ports - configuration and asset management ## Logical vs Physical Network Diagrams - Diagram types - detailed physical plans - schematics - Constrain to single OSI layer per diagram - PHY - 1 - Data link - 2 - Network - 3 - Application - 7 - Standard Icons: - ![[DiagramIcons.png]] ## Security Response Plans and Procedures - Incident response plan (this is different for each company, depending on needs and such) **SECURITY INCIDENTS** - categorize incident types, such as data breach, malware/intrusion detection, denial of service (DoS), ETC... - Restoring security vs preserving evidence -> which is best for you? - Disaster recovery plan -> **address large scale incidents** - Identify major incident scenarios - train staff in the disaster planning procedure - Identify scenarios for natural and non-natural disasters and options for protecting systems - Business continuity plan -> processes and resources that enable an organization to maintain normal business operations in the face of some adverse event - Identify and prioritize functions for investment in fault tolerance/redundancy - Business impact analysis (BIA) - IT contingency planning (ITCP) ## Hardening and Security Policies - Security policy types: - ensures the confidentiality, integrity, and availability of any data assets or processing systems - Human Resources (HR) - led policies - onboarding - background check - Identity and access management - Asset allocation -> provision systems for the user, or agree on the used of BYOD - Training/policies -> schedule appropriate security awareness and role-relevant training and certification - offboarding - IAM -> disable user account and privileges - Retrieve company assets -> secure mobile devices, keys, smart cards, usb media and so on. Prove/confirm no copies of data have been retained - Return personal assets -> employee owned devices need to be wiped of corporate data and applications ## Usage Policies Usage policies set out rules for how users should interact with network systems and data #### Password Policy Instructs users on best practice in choosing and maintaining a network access credential. These policies mitigate against the risk of attackers being able to compromise an account Constrains can be... - Length - Complexity (special characters, numbers etc) - Aging and history #### Acceptable Use Policies sets out the permitted uses of a product or service. It might also state explicitly prohibited uses. Such a policy might be used in different contexts. For example, an AUP could be enforced by a business to govern how employees use equipment and services, such as telephone or Internet access, provided to them at work. #### BYOD Policies A mobile deployment model describes the way employees are provided with smartphone or tablet devices and applications. Some companies issue employees with corporate-owned and controlled devices and insist that only these are used to process company data. Other companies might operate a bring your own device (BYOD) policy. BYOD means that the mobile is owned by the employee and can be used on the corporate network so long as it meets a minimum specification required by the company (in terms of OS version and functionality). The employee will have to agree on the installation of corporate apps and to some level of oversight and auditing. Very often, BYOD devices are registered with enterprise management software and configured with sandboxed corporate workspaces and apps. ## Data Loss Prevention - Risks from data breach - hard to deploy - Data loss prevention (DLP) software - scan file and data stores - match confidential and personal/sensitive data - Control access, copying, and printing ## Remote Access Policies - Ensure remote devices and network connections do not create vulnerabilities - Malware protection and patching of remote hosts - Protection of credentials - Protection for data processed off-site - Treat remote hosts and networks as untrusted ## Common Agreements - SLA - NDA - Legal basis for protecting information assets - Used in employment contracts between companies - Memorandum of Understanding MoU # Explain Physical Security Methods ## Badges and Site Secure Entry Systems - Access control hardware - badge reader - Biometric - Access control vestibule - Prevent tailgating and piggy backing - Turnstile - "mantrap" ## Physical Security for Server Systems - Locking racks - Lock whole rack - Bracket/shelf locks - Locking cabinets - Smart lockers - smart card/biometric lock - Sensors to detect add/remove ## Detection-Based Devices - surveillance systems and security guards - Cameras - Fixed vs pan-tilt-zoom (PTZ) - Focal length - CCTV coax networks - IP camera data and PoE networks - Asset tags - Link asset to database/configuration management - Radio frequency ID (RFID) monitored tags ## Alarms and Tamper Detection - Alarm types - circuit/tamper detection - Motion detection - Alarms for rack systems and chassis intrusion - Tamper detection for cabling - Protected distribution system (PDS) ## Asset Disposal - Factory reset/confg wipe - Remove accounts and passwords - Remove configuration and information - Remove licensing keys and registration - Data remnants and media sanitization - Physical destruction - Overwriting and HDDs vs SSDs - Secure erase (SE) - Instant Secure Erase (ISE) ## Employee Training - Security awareness - Incident reporting - site security - data and credential handling - social engineering, malware, and other threat awareness - Role-based training # Compare and Contrast IoT Devices ## IoT - consumer-grade smart devices - Hub vs device functions - Physical access control systems and smart buildings ## ICS/SCADA - Industrial control systems (ICS) and the AIC triad - Workflow and process automation systems - Power supplies, water suppliers, health services, telecommunications, and national security services - Programmable logic controller (PLC) - Mechanical devices and sensors - Human-machine interface (HMI) - Supervisory Control and data acquisition (SCADA) - ICS and distributed over large areas - Control software running on PCs - Cellular communications ## IoT Networks - Operational Technology (OT) networks - Serial data or industrial ethernet - Require deterministic, low latency delivery over bandwidth - Cellular networks - Deterministic, low-latency versions of 4G/5G - Z-wave and zigbee - Wireless mesh for home automation devices ## Placement and Security - Consumer-grade smart devices - Vendor assessment - Risks from shadow IT - Smart buildings - Isolate management traffic from data networks - Include in configuration management/assessments - ICS/SCADA - Isolate/monitor connections to data networks